More Servlets and JavaServer Pages

Chapter 7: Declarative Security

To view source code for other chapters in this book, mouse over the table of contents bar on the left.

Source Code from Chapter

Note: right-click or shift-click on the links to download the associated file.

Form-based authentication: the `hotdotcom` application

tomcat-users.xml. Tomcat-specific password file.
users.properties. JRun-specific password file.
web.xml. Deployment descriptor for the hotdotcom application.
index.jsp. Top-level home page for the hotdotcom application.
company-styles.css. Style sheet used by almost all JSP pages in the hotdotcom application.
The admin directory:
- login.jsp. A login page that follows the standard format: a form with an ACTION of j_security_check, a textfield named j_username, and a password field named j_password.
- login-error.jsp. Page used to report failed login attempts.
- delete-account.jsp. Page that is accessible only to users in the administrator role.
- confirm-deletion.jsp. Page to confirm the deletion of accounts.
The investing directory:
- index.html. Top-level home page. Available only to authenticated users in the registered-user role.
- account-status.jsp. Page that shows summarized information on a client's account. Available only to authenticated users in the registered-user role.
- sucker.jsp. Page that confirms a stock purchase. Since the FinalizePurchase servlet uses a RequestDispatcher to invoke this page, no page-specific security settings apply.
The ssl directory:
- buy-stock.jsp. Page used to order stock. Available only with SSL (https) connections.
- StockInfo.java. Bean used by buy-stock.jsp (not actually in the ssl directory).
- FinalizePurchaseServlet.java. Servlet that reads credit card information, performs a stock purchase, and displays confirmation page. The servlet is not actually stored in the ssl directory, but the web.xml file assigns the servlet a custom URL that makes it appear that the servlet is in that directory. Available only with SSL (https) connections.
The business directory
- index.html. Top-level home page. Available to all users: no security settings apply.
The history directory
- index.html. Top-level home page. Available to all users: no security settings apply.
RedirectorServlet.java. Servlet that simply redirects users to the Web application home page. Registered with the default servlet URL to prevent access to servlets through URLs that have no security settings.
hotdotcom.war. The entire hotdotcom application bundled in a WAR (Web ARchive) file.

BASIC authentication: the `hotdotcom-internal` application

web.xml. Deployment descriptor for the hotdotcom-internal application.
tomcat-users.xml. Tomcat-specific password file.
index.jsp. Top-level home page.
company-styles.css. Style sheet used by almost all JSP pages in the hotdotcom-internal application.
financial-plan.html. Page that shows the company's financial plan. Available only to authenticated users in the employee or executive roles.
business-plan.html. Page that shows the company's business plan. Available only to authenticated users in the executive role.
RedirectorServlet.java. Servlet that simply redirects users to the Web application home page. Registered with the default servlet URL to prevent access to servlets through URLs that have no security settings.
hotdotcom-internal.war. The entire hotdotcom-internal application bundled in a WAR (Web ARchive) file.